Write Up for Malware Analysis CTF created by @Bowflexin91 & @HBRH_314
Register here: https://t.co/NT6T6u1x93
Family Ties
The first challenge is pretty straight forward, we need to make attribution or identify this sample. A great source for OSINT and basic information regarding files can be found on VirusTotal.
So let’s calculate the SHA256 hash for this sample and search it on VT.
It just so happens that the file name is also the hash, but below are the bash and Powershell commands to calculate the hash.
$ sha256sum filename > Get-Filehash .\filename
6f57eb37bff30df1a66f848cb648799536dcbc05f6fb32d1ae071102ffd830ee
Now we pivot to VT and search the hash. The Community tab can be a great resource for OSINT info.
We see that Joe Sandbox identified this sample as IcedID, which is also known by another name.
Flag: Bokbot
Moving Around
A certain community based wiki page has this to say about ASLR:Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
We need to determine if this sample uses ASLR. By leveraging a program like PeStudio we can view the header information to discover the answer. Just drag the sample into the open PeStudio window and check out the optional-header section.
Flag: Yes
Phone Home
A quick way to discover what domains this sample may contact is, again, a quick jaunt over to VirusTotal. Check out the Behavior tab for some details on execution.
Based on the challenge criteria, we need to put the random domain first.
Flag: dsedertyhuiokle.top, aws.amazon.com
Time is a Flat Circle
To identify compiler timestamps, a program like PeStudio does the trick quite nicely.
Now, we make sure to format it into the requested template and voila!
Flag: Tue May 04 11:02:41 2021
Enter the Matrix
While we have this sample open in PeStudio, let’s check out the sections info.
There, we find the entry-point details.
Flag: 0x00005F40
How Conventional
I started this challenge with a search of calling conventions on the Googles to learn what we are even looking for and would suggest you complete a similar exercise as well. OK fine, I found a pretty good article, so I will share it with you.
OK. First things first, we need to identify which export is ordinal number one. We can do that with PeStudio as well. Take a look at the exports section and find the function with a 1.
We have identified DllRegisterServer as the export at index 1.
Next, we open the file in Ghidra. After opening Ghidra, drag the file to the project window and open the code browser by double-clicking the file. Ghidra will ask you if you want to analyze the file. Well yeah, of course we do.
After the analysis is complete, we will expand the Functions folder under the Symbol Tree, then click on the function we are looking for to jump to the code.
Here, we find the calling convention information.
Flag: _fastcall
Bookshelf
We already have the file open in Ghidra, so we’ve got that going for us. We need to search for the function call addresses.
Either hit CTRL + Shift + E or select Search from top bar menu and select Program Text…
Next, enter LoadLibraryA as the search term, select All Fields and click Search All.
In the search results window, look for the Namespace column that contains DllRegisterServer and copy the Location address.
Now, we put the addresses in order and we finish Lab 01.
Flag: 180001ca8, 1800032c8